Research On Realization And Detection Of Improved Rootkit

With the development of computer Internet application technology, popularity of the Internet business model based, resulted in an explosion type computer viruses,Trojans and other malicious program growth, a serious threat to the safety of computer network. Due to the widespread use of Microsoft rate of the Windows system, in recent years the malicious software and Trojan virus based on Windows platform has been considerable research interest. As to the lasting reliable, cannot detect the existence of the computer has become a hot research on detection technology of the host for the purpose of the Rootkit technology.This paper first introduces the analysis of Rootkit related knowledge in Windows system, including system Ring0 grade and Ring3 grade is introduced, the protection, the kernel memory system layout and memory of common breakthrough write protected memory method expounded kernel driver mode and PE file format.Summarizes the technical principle of commonly used Rootkit. Based on the principle of in-depth understanding of Rootkit relevant technology, puts forward improved scheme for the traditional SSDT hook. And according to the current mainstream anti-virus software on the Ki FastCallEntry hook presents escape plan, and gives the realization of the principle, design and experimental testing of concrete.Aiming at the deficiency of traditional Rootkit detection technology is improved, the design and implementation of Rootkit framework model of detection,anomaly detection model based on system call: traditional short sequences(N-gram)model, the DFA model, frequency based KNN(K-Nearest Neighbor) model are compared and analyzed. On the basis of the original system call sequence algorithm,proposes the use of typical characteristics of behavior of Rootkit to characterize the program behavior, increase the system call parameters influence factors on system call weights by AHP, the weight of the comparison matrix to quantify precisely a system call, and finally through the method of fuzzy recognition to treat the detection procedure the classification, the improvement reduces the traditional anomaly detection model of time overhead, and further improve the detection accuracy of the model.